aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAric Gardner <agardner@linuxfoundation.org>2017-08-31 20:21:16 +0000
committerGerrit Code Review <gerrit@opnfv.org>2017-08-31 20:21:16 +0000
commitd1fe715a48749e6363b27e2479f5eca8c92043f9 (patch)
tree189f463d728aab78a279439491b47a3f62726333
parent9671dbbce50fad2173447f3a43b0bec26500ca82 (diff)
parentf5f335aa4e575512bd5184fb7dea97f6d0f5c416 (diff)
Merge "desc field set to just one line"
-rw-r--r--master_list.yaml25
1 files changed, 7 insertions, 18 deletions
diff --git a/master_list.yaml b/master_list.yaml
index 178dde4..af35076 100644
--- a/master_list.yaml
+++ b/master_list.yaml
@@ -101,9 +101,7 @@ file_audits:
ripemd:
regex: ripemd
- desc: |
- "RACE Integrity Primitives Evaluation Message Digest
- is an insecure hashing algorithm"
+ desc: "RACE Message Digest is an insecure hashing algorithm"
secret:
regex: secret
@@ -152,38 +150,29 @@ file_audits:
apprun:
regex: app\.run\s*\(.*debug.*=.*True.*\)
desc: |
- "Running flask in debug mode can give away sensitive data on a
- systems configuration"
+ "Running flask in debug mode can give away sensitive data"
autoescape:
regex: autoescape.*=.*False
- desc: |
- "Without escaping HTML input an application becomes
- vulnerable to Cross Site Scripting (XSS) attacks."
+ desc: "Not escaping HTML input is vulnerable to XSS attacks."
safestring:
regex: safestring\.mark_safe.*\(.*\)
- desc: |
- "Without escaping HTML input an application becomes
- vulnerable to Cross Site Scripting (XSS) attacks."
+ desc: "Not escaping HTML input is vulnerable to XSS attacks."
shelltrue:
regex: shell.*=.*True
- desc: |
- "Shell=True can lead to dangerous shell escapes,
- expecially when the input can be crafted by untrusted external input"
+ desc: "Shell=True can lead to dangerous shell escapes"
tmp:
regex: \/tmp\/
desc: |
- "Use of tmp directories can be dangerous. Its world writable and
- accessable, and can be easily guessed by attackers"
+ "tmp directories are risky. They are world writable and easily guessed"
yamlload:
regex: \yaml\.load
desc: |
- "Avoid dangerous file parsing and object serialization libraries,
- use instead `yaml.safe_load`"
+ "Avoid dangerous file parsing & serialization libs, use yaml.safe_load"
telnet:
regex: telnet